Add custom tag to zeek filebeat module

kcrawford19 · October 21, 2021, 6:33pm

Hello,

I am configuring an ELK stack and would like to use filebeat to read in zeek logs. Below is a snippet of my filebeat module configuration:

# cat /etc/filebeat/modules.d/zeek.yml
- module: zeek
  capture_loss:
    enabled: true
    var.paths: ["/var/log/zeek/capture_loss.log"]
  connection:
    enabled: true
    var.paths: ["/var/log/zeek/conn.log"]
  dce_rpc:
    enabled: false
  dhcp:
    enabled: true
    var.paths: ["/var/log/zeek/dhcp.log"]
  dnp3:
    enabled: false
  dns:
    enabled: true
    var.paths: ["/var/log/zeek/dns.log"]
  dpd:
    enabled: false
  files:
    enabled: true
    var.paths: ["/var/log/zeek/files.log"]

I would like to add a tag to all the outputs from this module using an environment variable something along the lines of:

  input:
    processors:
      - add_tags:
          tags: [ "${SOURCE}" ]
          target: "pcapSource"

How would I go about configuring this?

system · November 18, 2021, 8:34pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Zeek Module - Custom Zeek Install Location Beats filebeat	3	932	August 16, 2019
Filebeat: How can I add tags to module input in filebeat? Beats beats-module , filebeat	5	6692	August 16, 2021
Zeek monitoring using filebeats Beats filebeat	7	332	December 13, 2022
Ingesting PCAP dataset into ELK via Zeek and Zeek scripting Beats filebeat	4	1234	September 21, 2021
Using Filebeat with Zeek (issue with configuration) Beats filebeat	6	4952	September 26, 2019

Add custom tag to zeek filebeat module

Related Topics